dolthub
diff --git a/‎.github/scripts/sanitize_payload.sh‎
Lines changed: 67 additions & 0 deletions b/‎.github/scripts/sanitize_payload.sh‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎.github/workflows/bump-dependency.yaml‎
Lines changed: 46 additions & 42 deletions b/‎.github/workflows/bump-dependency.yaml‎
Lines changed: 46 additions & 42 deletions
diff --git a/‎go/cmd/dolt/commands/cvcmds/verify_constraints.go‎
Lines changed: 22 additions & 14 deletions b/‎go/cmd/dolt/commands/cvcmds/verify_constraints.go‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎go/cmd/dolt/commands/schcmds/copy-tags.go‎
Lines changed: 20 additions & 4 deletions b/‎go/cmd/dolt/commands/schcmds/copy-tags.go‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎go/cmd/dolt/dolt.go‎
Lines changed: 0 additions & 2 deletions b/‎go/cmd/dolt/dolt.go‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎go/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go/go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go/go.sum‎
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+# Inputs via environment variables
+RAW_DEP=${RAW_DEP:-}
+RAW_SHA=${RAW_SHA:-}
+RAW_USER=${RAW_USER:-}
+RAW_MAIL=${RAW_MAIL:-}
+
+# --- Validate dependency via allow-list and map to module path + label
+case "${RAW_DEP:-}" in
+  go-mysql-server)
+    MODULE='github.com/dolthub/go-mysql-server'
+    LABEL='gms-bump'
+    ;;
+  eventsapi_schema)
+    MODULE='github.com/dolthub/eventsapi_schema'
+    LABEL='eventsapi_schema-bump'
+    ;;
+  *)
+    echo "Unsupported dependency '${RAW_DEP:-}'" >&2
+    exit 1
+    ;;
+esac
+
+# --- Validate head SHA/tag (conservative)
+# allow only hex SHAs or safe tag-ish: letters, digits, dot, dash, underscore, plus
+if [ -z "${RAW_SHA:-}" ] || ! printf '%s' "$RAW_SHA" | grep -qE '^[A-Za-z0-9._+-]+$'; then
+  echo "Invalid head_commit_sha" >&2
+  exit 1
+fi
+
+# Keep a short 8-char form if it's a hex SHA; otherwise derive short safe token
+if printf '%s' "$RAW_SHA" | grep -qiE '^[0-9a-f]{40}$'; then
+  SHORT_SHA="${RAW_SHA:0:8}"
+else
+  SHORT_SHA="$(printf '%s' "$RAW_SHA" | tr -cd 'A-Za-z0-9._+-' | cut -c1-12)"
+fi
+
+# --- Validate assignee username (GitHub-compatible subset)
+if [ -z "${RAW_USER:-}" ] || ! printf '%s' "$RAW_USER" | grep -qE '^[A-Za-z0-9-]{1,39}$'; then
+  echo "Invalid assignee username" >&2
+  exit 1
+fi
+
+# --- Validate email; if invalid, fall back to GitHub noreply
+if [ -n "${RAW_MAIL:-}" ] && printf '%s' "$RAW_MAIL" | grep -qE '^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$'; then
+  SAFE_EMAIL="$RAW_MAIL"
+else
+  SAFE_EMAIL="${RAW_USER}+noreply@users.noreply.github.com"
+fi
+
+# --- Build a safe branch name: <assignee>-<short>
+BRANCH_NAME="$(printf '%s-%s' "$RAW_USER" "$SHORT_SHA" | tr -cd 'A-Za-z0-9._-')"
+
+# Expose sanitized values as step outputs
+{
+  echo "label=$LABEL"
+  echo "safe_module=$MODULE"
+  echo "safe_head=$RAW_SHA"
+  echo "safe_assignee=$RAW_USER"
+  echo "safe_email=$SAFE_EMAIL"
+  echo "safe_branch=$BRANCH_NAME"
+  echo "safe_short=$SHORT_SHA"
+} >> "${GITHUB_OUTPUT}"
@@ -5,31 +5,31 @@ on:
     types: [ bump-dependency ]
 
 jobs:
-  get-label:
-    name: Get Label
-    outputs:
-      label: ${{ steps.get-label.outputs.label }}
+  sanitize-payload:
+    name: Sanitize Payload
     runs-on: ubuntu-22.04
+    outputs:
+      label:        ${{ steps.sanitize.outputs.label }}
+      safe_module:  ${{ steps.sanitize.outputs.safe_module }}
+      safe_head:    ${{ steps.sanitize.outputs.safe_head }}
+      safe_assignee: ${{ steps.sanitize.outputs.safe_assignee }}
+      safe_email:   ${{ steps.sanitize.outputs.safe_email }}
+      safe_branch:  ${{ steps.sanitize.outputs.safe_branch }}
+      safe_short:   ${{ steps.sanitize.outputs.safe_short }}
     steps:
-      - name: Get Label
-        id: get-label
+      - uses: actions/checkout@v4
+      - name: Validate & Sanitize Payload (script)
+        id: sanitize
         env:
-          REPO: ${{ github.event.client_payload.dependency }}
-        run: |
-          if [ "$REPO" == "go-mysql-server" ]
-          then
-            echo "label=gms-bump" >> $GITHUB_OUTPUT
-          elif [ "$REPO" == "eventsapi_schema" ]
-          then
-            echo "label=eventsapi_schema-bump" >> $GITHUB_OUTPUT
-          else
-            echo "$REPO is unsupported"
-            exit 1
-          fi
+          RAW_DEP:  ${{ github.event.client_payload.dependency }}
+          RAW_SHA:  ${{ github.event.client_payload.head_commit_sha }}
+          RAW_USER: ${{ github.event.client_payload.assignee }}
+          RAW_MAIL: ${{ github.event.client_payload.assignee_email }}
+        run: bash .github/scripts/sanitize_payload.sh
 
   stale-bump-prs:
     name: Retrieving Stale Bump PRs
-    needs: get-label
+    needs: sanitize-payload
     outputs:
       stale-pulls: ${{ steps.get-stale-prs.outputs.open-pulls }}
     runs-on: ubuntu-22.04
@@ -38,7 +38,7 @@ jobs:
         id: get-stale-prs
         uses: actions/github-script@v7
         env:
-          LABEL: ${{ needs.get-label.outputs.label }}
+          LABEL: ${{ needs.sanitize-payload.outputs.label }}
         with:
           debug: true
           github-token: ${{ secrets.REPO_ACCESS_TOKEN }}
@@ -89,7 +89,7 @@ jobs:
             }
 
   open-bump-pr:
-    needs: [get-label, stale-bump-prs]
+    needs: [sanitize-payload, stale-bump-prs]
     name: Open Bump PR
     runs-on: ubuntu-22.04
     outputs:
@@ -102,47 +102,51 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go/go.mod
-      - name: Bump dependency
+      - name: Bump dependency (safe)
         working-directory: go
+        env:
+          SAFE_MODULE:   ${{ needs.sanitize-payload.outputs.safe_module }}
+          SAFE_HEAD:     ${{ needs.sanitize-payload.outputs.safe_head }}
         run: |
-          go get github.com/dolthub/${{ github.event.client_payload.dependency }}@${{ github.event.client_payload.head_commit_sha }}
+          GOOS=linux go get "${SAFE_MODULE}@${SAFE_HEAD}"
           go mod tidy
-      - name: Get Assignee and Reviewer
+      - name: Get Assignee and Reviewer (safe)
         id: get_reviewer
+        env:
+          ASSIGNEE: ${{ needs.sanitize-payload.outputs.safe_assignee }}
         run: |
-          if [ "${{ github.event.client_payload.assignee }}" == "zachmu" ]
+          if [ "${ASSIGNEE}" == "zachmu" ]
           then
             echo "reviewer=Hydrocharged" >> $GITHUB_OUTPUT
           else
             echo "reviewer=zachmu" >> $GITHUB_OUTPUT
           fi
-      - name: Get short hash
-        id: short-sha
-        run: |
-          commit=${{ github.event.client_payload.head_commit_sha }}
-          short=${commit:0:8}
-          echo "short=$short" >> $GITHUB_OUTPUT
-      - name: Create and Push new branch
+      - name: Create and Push new branch (safe)
+        env:
+          GIT_USER:  ${{ needs.sanitize-payload.outputs.safe_assignee }}
+          GIT_MAIL:  ${{ needs.sanitize-payload.outputs.safe_email }}
+          BRANCH:    ${{ needs.sanitize-payload.outputs.safe_branch }}
+          COMMIT_BY: ${{ needs.sanitize-payload.outputs.safe_assignee }}
         run: |
-          git config --global --add user.name "${{ github.event.client_payload.assignee }}"
-          git config --global --add user.email "${{ github.event.client_payload.assignee_email }}"
-          branchname=${{ format('{0}-{1}', github.event.client_payload.assignee, steps.short-sha.outputs.short) }}
-          git checkout -b "$branchname"
+          set -euo pipefail
+          git config --global user.name "${GIT_USER}"
+          git config --global user.email "${GIT_MAIL}"
+          git checkout -b "${BRANCH}"
           git add .
-          git commit -m "${{ format('[ga-bump-dep] Bump dependency in Dolt by {0}', github.event.client_payload.assignee) }}"
-          git push origin "$branchname"
+          git commit -m "[ga-bump-dep] Bump dependency in Dolt by ${COMMIT_BY}"
+          git push origin "${BRANCH}"
       - name: pull-request
         uses: repo-sync/pull-request@v2
         id: latest-pr
         with:
-          source_branch: ${{ format('{0}-{1}', github.event.client_payload.assignee, steps.short-sha.outputs.short ) }}
+          source_branch: ${{ needs.sanitize-payload.outputs.safe_branch }}
           destination_branch: "main"
           github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
-          pr_title: "[auto-bump] [no-release-notes] dependency by ${{ github.event.client_payload.assignee }}"
+          pr_title: "[auto-bump] [no-release-notes] dependency by ${{ needs.sanitize-payload.outputs.safe_assignee }}"
           pr_template: ".github/markdown-templates/dep-bump.md"
           pr_reviewer: ${{ steps.get_reviewer.outputs.reviewer }}
-          pr_assignee: ${{ github.event.client_payload.assignee }}
-          pr_label: ${{ needs.get-label.outputs.label }}
+          pr_assignee: ${{ needs.sanitize-payload.outputs.safe_assignee }}
+          pr_label: ${{ needs.sanitize-payload.outputs.label }}
 
   comment-on-stale-prs:
     needs: [open-bump-pr, stale-bump-prs]
 
@@ -29,6 +29,7 @@ import (
 	"github.com/dolthub/dolt/go/libraries/doltcore/doltdb"
 	"github.com/dolthub/dolt/go/libraries/doltcore/env"
 	"github.com/dolthub/dolt/go/libraries/doltcore/merge"
+	"github.com/dolthub/dolt/go/libraries/doltcore/sqle/dsess"
 	"github.com/dolthub/dolt/go/libraries/utils/argparser"
 	"github.com/dolthub/dolt/go/store/types"
 )
@@ -111,30 +112,37 @@ func (cmd VerifyConstraintsCmd) Exec(ctx context.Context, commandStr string, arg
 		return commands.HandleVErrAndExitCode(errhand.BuildDError("Unable to get head commit hash.").AddCause(err).Build(), nil)
 	}
 
-	endRoot, tablesWithViolations, err := merge.AddForeignKeyViolations(ctx, working, comparingRoot, tableSet, h)
+	eng, dbName, err := engine.NewSqlEngineForEnv(ctx, dEnv)
+	if err != nil {
+		return commands.HandleVErrAndExitCode(errhand.BuildDError("Failed to build sql engine.").AddCause(err).Build(), nil)
+	}
+	sqlCtx, err := eng.NewLocalContext(ctx)
+	if err != nil {
+		return commands.HandleVErrAndExitCode(errhand.BuildDError("Failed to build sql context.").AddCause(err).Build(), nil)
+	}
+	defer sql.SessionEnd(sqlCtx.Session)
+	sql.SessionCommandBegin(sqlCtx.Session)
+	defer sql.SessionCommandEnd(sqlCtx.Session)
+	sqlCtx.SetCurrentDatabase(dbName)
+
+	tableResolver, err := dsess.GetTableResolver(sqlCtx)
+	if err != nil {
+		cli.PrintErrln(errhand.VerboseErrorFromError(err))
+		return 1
+	}
+
+	endRoot, tablesWithViolations, err := merge.AddForeignKeyViolations(sqlCtx, tableResolver, working, comparingRoot, tableSet, h)
 	if err != nil {
 		return commands.HandleVErrAndExitCode(errhand.BuildDError("Unable to process constraint violations.").AddCause(err).Build(), nil)
 	}
 
-	err = dEnv.UpdateWorkingRoot(ctx, endRoot)
+	err = dEnv.UpdateWorkingRoot(sqlCtx, endRoot)
 	if err != nil {
 		return commands.HandleVErrAndExitCode(errhand.BuildDError("Unable to update working root.").AddCause(err).Build(), nil)
 	}
 
 	if tablesWithViolations.Size() > 0 {
 		cli.PrintErrln("All constraints are not satisfied.")
-		eng, dbName, err := engine.NewSqlEngineForEnv(ctx, dEnv)
-		if err != nil {
-			return commands.HandleVErrAndExitCode(errhand.BuildDError("Failed to build sql engine.").AddCause(err).Build(), nil)
-		}
-		sqlCtx, err := eng.NewLocalContext(ctx)
-		if err != nil {
-			return commands.HandleVErrAndExitCode(errhand.BuildDError("Failed to build sql context.").AddCause(err).Build(), nil)
-		}
-		defer sql.SessionEnd(sqlCtx.Session)
-		sql.SessionCommandBegin(sqlCtx.Session)
-		defer sql.SessionCommandEnd(sqlCtx.Session)
-		sqlCtx.SetCurrentDatabase(dbName)
 
 		for _, tableName := range tablesWithViolations.AsSortedSlice() {
 			tbl, ok, err := endRoot.GetTable(sqlCtx, tableName)
 
@@ -18,6 +18,8 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/dolthub/go-mysql-server/sql"
+
 	"github.com/dolthub/dolt/go/cmd/dolt/cli"
 	"github.com/dolthub/dolt/go/cmd/dolt/commands"
 	"github.com/dolthub/dolt/go/cmd/dolt/errhand"
@@ -27,6 +29,7 @@ import (
 	"github.com/dolthub/dolt/go/libraries/doltcore/env/actions"
 	"github.com/dolthub/dolt/go/libraries/doltcore/ref"
 	"github.com/dolthub/dolt/go/libraries/doltcore/schema"
+	"github.com/dolthub/dolt/go/libraries/doltcore/sqle/dsess"
 	"github.com/dolthub/dolt/go/libraries/utils/argparser"
 	"github.com/dolthub/dolt/go/libraries/utils/config"
 	"github.com/dolthub/dolt/go/store/datas"
@@ -85,13 +88,26 @@ func (cmd CopyTagsCmd) ArgParser() *argparser.ArgParser {
 }
 
 // Exec implements the cli.Command interface.
-func (cmd CopyTagsCmd) Exec(ctx context.Context, commandStr string, args []string, dEnv *env.DoltEnv, _ cli.CliContext) int {
+func (cmd CopyTagsCmd) Exec(ctx context.Context, commandStr string, args []string, dEnv *env.DoltEnv, cliCtx cli.CliContext) int {
 	fromBranchName, fromRoots, toRoots, usage, err := cmd.validateArgs(ctx, commandStr, args, dEnv)
 	if err != nil {
 		verr := errhand.BuildDError("error validating arguments")
 		return commands.HandleVErrAndExitCode(verr.AddCause(err).Build(), usage)
 	}
 
+	queryist, err := cliCtx.QueryEngine(ctx)
+	if err != nil {
+		cli.PrintErrln(errhand.VerboseErrorFromError(err))
+		return 1
+	}
+	sqlCtx := queryist.Context
+
+	tableResolver, err := dsess.GetTableResolver(sqlCtx)
+	if err != nil {
+		cli.PrintErrln(errhand.VerboseErrorFromError(err))
+		return 1
+	}
+
 	// Load all the tags from fromBranch and toBranch
 	fromBranchTags, err := getAllTagsForRoots(ctx, fromRoots.Head)
 	if err != nil {
@@ -158,7 +174,7 @@ func (cmd CopyTagsCmd) Exec(ctx context.Context, commandStr string, args []strin
 	}
 
 	if tagsSynced > 0 {
-		if err = doltCommitUpdatedTags(ctx, dEnv, workingRoot, fromBranchName); err != nil {
+		if err = doltCommitUpdatedTags(sqlCtx, tableResolver, dEnv, workingRoot, fromBranchName); err != nil {
 			vErr := errhand.BuildDError("failed to commit column tag updates").AddCause(err).Build()
 			return commands.HandleVErrAndExitCode(vErr, usage)
 		}
@@ -240,7 +256,7 @@ func validateDestinationBranch(ctx context.Context, toRoots *doltdb.Roots) error
 
 // doltCommitUpdatedTags commits tag changes in |workingRoot| for the specified DoltEnv, |dEnv|. The commit message uses
 // |fromBranchName| to document the source of the tag changes.
-func doltCommitUpdatedTags(ctx context.Context, dEnv *env.DoltEnv, workingRoot doltdb.RootValue, fromBranchName string) (err error) {
+func doltCommitUpdatedTags(ctx *sql.Context, tableResolver doltdb.TableResolver, dEnv *env.DoltEnv, workingRoot doltdb.RootValue, fromBranchName string) (err error) {
 	if err = dEnv.UpdateWorkingRoot(ctx, workingRoot); err != nil {
 		return err
 	}
@@ -271,7 +287,7 @@ func doltCommitUpdatedTags(ctx context.Context, dEnv *env.DoltEnv, workingRoot d
 	}
 
 	doltDB := dEnv.DoltDB(ctx)
-	pendingCommit, err := actions.GetCommitStaged(ctx, roots, workingSet, nil, doltDB, actions.CommitStagedProps{
+	pendingCommit, err := actions.GetCommitStaged(ctx, tableResolver, roots, workingSet, nil, doltDB, actions.CommitStagedProps{
 		Name:    name,
 		Email:   email,
 		Message: "Syncing column tags from " + fromBranchName + " branch",
 
@@ -46,7 +46,6 @@ import (
 	"github.com/dolthub/dolt/go/cmd/dolt/commands/cvcmds"
 	"github.com/dolthub/dolt/go/cmd/dolt/commands/docscmds"
 	"github.com/dolthub/dolt/go/cmd/dolt/commands/indexcmds"
-	"github.com/dolthub/dolt/go/cmd/dolt/commands/schcmds"
 	"github.com/dolthub/dolt/go/cmd/dolt/commands/sqlserver"
 	"github.com/dolthub/dolt/go/cmd/dolt/doltcmd"
 	"github.com/dolthub/dolt/go/cmd/dolt/doltversion"
@@ -74,7 +73,6 @@ var commandsWithoutCliCtx = []cli.Command{
 	commands.BackupCmd{},
 	commands.LoginCmd{},
 	credcmds.Commands,
-	schcmds.Commands,
 	cvcmds.Commands,
 	commands.SendMetricsCmd{},
 	commands.MigrateCmd{},
 
@@ -61,7 +61,7 @@ require (
 	github.com/dolthub/dolt-mcp v0.2.2
 	github.com/dolthub/eventsapi_schema v0.0.0-20250915094920-eadfd39051ca
 	github.com/dolthub/flatbuffers/v23 v23.3.3-dh.2
-	github.com/dolthub/go-mysql-server v0.20.1-0.20251022212313-70b084ecf8af
+	github.com/dolthub/go-mysql-server v0.20.1-0.20251028181638-d977e491d2e0
 	github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63
 	github.com/edsrzf/mmap-go v1.2.0
 	github.com/esote/minmaxheap v1.0.0
 
@@ -213,8 +213,8 @@ github.com/dolthub/fslock v0.0.3 h1:iLMpUIvJKMKm92+N1fmHVdxJP5NdyDK5bK7z7Ba2s2U=
 github.com/dolthub/fslock v0.0.3/go.mod h1:QWql+P17oAAMLnL4HGB5tiovtDuAjdDTPbuqx7bYfa0=
 github.com/dolthub/go-icu-regex v0.0.0-20250916051405-78a38d478790 h1:zxMsH7RLiG+dlZ/y0LgJHTV26XoiSJcuWq+em6t6VVc=
 github.com/dolthub/go-icu-regex v0.0.0-20250916051405-78a38d478790/go.mod h1:F3cnm+vMRK1HaU6+rNqQrOCyR03HHhR1GWG2gnPOqaE=
-github.com/dolthub/go-mysql-server v0.20.1-0.20251022212313-70b084ecf8af h1:4oCU4A7/8HGzrJ7GUzi8+uRXCjwrhF8muvWnQJibros=
-github.com/dolthub/go-mysql-server v0.20.1-0.20251022212313-70b084ecf8af/go.mod h1:EeYR0apo+8j2Dyxmn2ghkPlirO2S5mT1xHBrA+Efys8=
+github.com/dolthub/go-mysql-server v0.20.1-0.20251028181638-d977e491d2e0 h1:ZVI3G6OcpvvD4MhB1Msppq0s+s/IMrMXQBeDsHtwUOg=
+github.com/dolthub/go-mysql-server v0.20.1-0.20251028181638-d977e491d2e0/go.mod h1:EeYR0apo+8j2Dyxmn2ghkPlirO2S5mT1xHBrA+Efys8=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63 h1:OAsXLAPL4du6tfbBgK0xXHZkOlos63RdKYS3Sgw/dfI=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63/go.mod h1:lV7lUeuDhH5thVGDCKXbatwKy2KW80L4rMT46n+Y2/Q=
 github.com/dolthub/ishell v0.0.0-20240701202509-2b217167d718 h1:lT7hE5k+0nkBdj/1UOSFwjWpNxf+LCApbRHgnCA17XE=